Key Management
Security World keys in the Web Services Option Pack environment are managed by using the Web Services Option Pack REST API. Non-confidential key data which exists and can be accessed outside the HSM is stored in a database management system. For details about the key storage in the database management system, see the Database chapter.
Security World keys are identified using an appname
and an ident
. The appnames supported by Web Services Option Pack are simple
, wspkcs11
and pkcs11
.
simple
keys can be generated and used through the WSOP API. simple
keys can also be migrated into WSOP if the algorithm is supported.
PKCS #11 keys can be generated and used through the WSOP PKCS #11 library. PKCS #11 keys can also be migrated into WSOP if the algorithm is supported by the WSOP PKCS #11 library. wspkcs11
designates keys which have been generated through the WSOP PKCS #11 library and pkcs11
are legacy PKCS #11 keys which have been migrated into WSOP.
The ident
can only contain digits and lowercase letters.
It cannot contain spaces, underscores (_
), or hyphens (-
).
Protection Domains
Web Services Option Pack provides support for Softcards through the concept of Protection Domains. A single Protection Domain is available for each Softcard, in addition to a "Module" Protection Domain which is the set of all HSM-protected keys.
A Protection Domain can be "activated" and "deactivated", which is equivalent to loading and unloading a Softcard.
The Module Protection Domain is always activated and cannot be deactivated. |
Once a Protection Domain is activated all Key Groups that are protected by the active domains are able to load and create keys for use, until that Protection Domain is deactivated.
A Protection Domain does not need to be activated to load the public half of an asymmetric key or delete a key. |
Key Groups
Key Groups hold a collection of keys that are linked by a single common Protection Domain. All Security World keys belong to exactly one Key Group. A Key Group is created automatically for each available Protection Domain.
Client segregation
The Web Services Option Pack (WSOP) introduces the concept of WSOP client segregation, making possible for the keys protected by Softcards to be used only after each client presents the authentication passphrase (associated with the particular Protection Domain).
WSOP provides client segregation at the Protection Domain level only when TLS Client Authentication is enabled.
Individual clients are identified by the client TLS certificate issuer and subject fields, and each WSOP client (with a unique combination issuer
and subject
), will have to individually activate the Protection Domains they want to use.
As the activated state of a Protection Domain is specific to a WSOP client, any commands that require the Protection Domain to be activated will only be successful if the TLS client certificate can be successfully validated, and this certificate contains the correct issuer
and subject
fields.
When client segregation is in operation, any key or token handles loaded in the HSM will be loaded in a separate client space to other Web Services Option Pack clients and nShield applications.
The keys are visible to all clients and they can still be listed and deleted regardless the Protection domain activated state. |
The access and usage of the public keys are not restricted by the client segregation, therefore any client is able to use the public part of an asymmetric key. |